b"    U.S. DEPARTMENT OF COMMERCE\n              Office of Inspector General\n\n\n\n\n            OFFICE OF THE CHIEF\n          INFORMATION OFFICER\n\n      The Department\xe2\x80\x99s Privacy Impact\n       Assessment Process Is Generally\n          Implemented Well, But Some\n            Improvements Are Needed\n\n\nFinal Inspection Report No. OSE-19047/September 2008\n\n\n\n\n                         Office of Systems Evaluation\n\x0c                                                          UNITED STATES DEPARTMENT OF COMMERCE\n                                                          Office of Inspector General\n                                                         Washington, D.C. 20230\n\n\n\n\n                                SEP 24 2008\n\n\nMEMORANDUM FOR:               Suzanne Hilding\n                              Chief InfQrmation Officer\n                             ~.~\nFROM:                        4'udith J. Gor\xc2\xa3n\n                              Assistant Inspector General for Audit and Evaluation\n\nSUBJECT:                      The Department's Privacy Impact Assessment Process Is\n                              Generally Implemented Well, But Some Improvements Are Needed\n                              Final Report No. OSE-19047\n\n\nThis is our final report on the results of our Federal Information Security Management\nAct (FISMA) evaluation of the Department's privacy impact assessment process and Web\nprivacy policy and processes. We recommended several policy and process improvements, but\noverall we found that the Department's IT privacy policy and privacy impact assessments\ncomply with the E-Government Act and OMB guidance, and a process is in place to ensure Web\npolicy compliance.\n\nIn response to our draft report, you concurred with our findings and indicated that the Office of\nthe Chief Information Officer will implement all the recommendations outlined in the report.\nWe request that you provide us an action plan describing the actions you have taken or plan to\ntake in response to our recommendations within 60 calendar days of the date of this report. The\nplan should be in the form of plans of action and milestones (POA&Ms) as required by FISMA.\n\nWe appreciate the cooperation and courtesies extended to us by your staff and Commerce\noperating unit personnel during our evaluation. If you would like to discuss any of the issues\nraised in this report, please call me at (202) 482-2754 or Allen Crawley, Deputy Assistant\nInspector General for Systems Evaluation, at (202) 482-1855.\n\ncc:\t Lisa Westerback, Director, Office of IT Policy and Planning\n     Earl Neal, Director, Office ofIT Security, Infrastructure and Technology\n     Trudy Gallic, Audit Liaison\n\x0cU.S. Department of Commerce                                                                                      Final Report OSE-19047\nOffice of Inspector General                                                                                              September 2008\n\n\n                                                              CONTENTS\n\n\nIntroduction......................................................................................................................... 1\nFindings and Recommendations ......................................................................................... 3\n   I.      The Department\xe2\x80\x99s IT Privacy Policy Is Out-of-Date and Needs Revision..............3\n   II.     Some PIAs Do Not Adequately Address All the Required Elements .....................5\n   III. The Department Has Implemented a Process for Determining Web Policy\n           Compliance but Needs to Strengthen Validation.....................................................7\nAppendix A: Objectives, Scope, and Methodology............................................................ 9\nAppendix B: Reviewed Privacy Impact Assessments ...................................................... 10\nAppendix C: Chief Information Officer Response ........................................................... 11\n\x0cU.S. Department of Commerce                                                               Final Report OSE-19047\nOffice of Inspector General                                                                       September 2008\n\n\n                                             INTRODUCTION\n\nFederal agencies obtain and maintain significant amounts of personally identifiable information\n(PII) about individuals that must be safeguarded from loss or misuse. The E-Government Act of\n2002 requires agencies to conduct privacy impact assessments (PIAs) of information systems and\ncollections containing PII and, if practicable, to make them publicly available to assure the\npublic that personal information is well protected. The act also requires agencies to post privacy\npolicies on their public Web sites in a machine-readable format.\n\nThe Department\xe2\x80\x99s Information Technology (IT) Privacy Policy, last revised January 29, 2007,\nsets out Commerce\xe2\x80\x99s policies for implementing the privacy provisions in the E-Government Act\nand the requirements of the Office of Management and Budget\xe2\x80\x99s (OMB\xe2\x80\x99s) M-03-22, Guidance\nfor Implementing the Privacy Provisions of the E-Government Act of 2002. The Department\xe2\x80\x99s IT\nprivacy policy defines the responsibilities Commerce operating units have for conducting PIAs\nand posting PIAs and privacy policies on Commerce Web sites. In accordance with OMB M-03-\n22, the Department\xe2\x80\x99s IT privacy policy requires that all PIAs document the following elements:\n\n     o What information is being collected, maintained, or disseminated.\n     o Why the information is being collected, maintained, or disseminated.\n     o Intended use of the information.\n     o With whom the information will be shared.\n     o What opportunities individuals or businesses have to decline providing information in\n       the case of voluntary collections; and opportunities to consent to particular uses of the\n       information and how they can grant consent.\n     o How the information is secured.\n     o Whether the collection will result in the creation of a system of records 1 within the\n       meaning of the Privacy Act.\n\nIn addition, the Department\xe2\x80\x99s Chief Information Officer (CIO) requires the following elements\nto be documented:\n\n    o Identifying information: OMB Exhibit 300 Identification Number; name of system or\n      OMB information collection control number; related Privacy Act System of Records\n      notice; and name, e-mail address, and phone number of a contact person.\n    o A brief description of the system.\n    o Event or reason the PIA was conducted.\n    o The law or regulation that authorizes collection and maintenance of the information.\n\nThe policy names the Department\xe2\x80\x99s CIO as the official responsible for ensuring that personally\nidentifiable information in Commerce systems is effectively protected. These responsibilities\ninclude developing and disseminating policy and guidance on preparation of and posting Web\nprivacy policies and PIAs and reviewing and approving PIAs. The CIO is also responsible for the\n\n1\n  The Privacy Act of 1974 (5 U.S.C. \xc2\xa7 552a) defines a system of records as a group of records under the control of\nthe agency from which information is retrieved by the name of the individual or by some identifying number,\nsymbol, or other identifying particular assigned to the individual.\n\n\n                                                         1\n\x0cU.S. Department of Commerce                                                Final Report OSE-19047\nOffice of Inspector General                                                        September 2008\n\nsubmission of mandatory PIAs to OMB as well as required E-Government Act compliance\nreports.\n\nOMB requires offices of inspector general to qualitatively assess the agencies\xe2\x80\x99 PIA processes as\npart of the Federal Information Security Management Act (FISMA) reporting requirements. To\nmeet our FY 2008 FISMA requirements, we evaluated the Department\xe2\x80\x99s PIA and Web privacy\nprocesses. We sought to determine whether the Department\xe2\x80\x99s PIA process included all the key\naspects of conducting and publicly posting PIAs as called for in the E-Government Act and in\nOMB guidance. We also sought to determine whether policies and processes for determining\ncontinued compliance with stated Web privacy policies are adequate and ensure machine-\nreadability on public Web sites. (See appendix A.)\n\n\nChief Information Officer Response\n\nIn responding to our draft report, the Department\xe2\x80\x99s Chief Information Officer concurred with all\nof our recommendations. The CIO\xe2\x80\x99s written response is included as appendix C.\n\n\n\n\n                                                2\n\x0cU.S. Department of Commerce                                                                  Final Report OSE-19047\nOffice of Inspector General                                                                          September 2008\n\n\n                             FINDINGS AND RECOMMENDATIONS\n\nI.    The Department\xe2\x80\x99s IT Privacy Policy Is Out-of-Date and Needs Revision\n\nThe Department\xe2\x80\x99s IT privacy policy provides guidance for determining when a PIA must be\nconducted for an information system or collection and what information must be documented.\nThe policy is consistent with the E-Government Act and OMB M-03-22 guidance but is\noutdated. The policy does not include new PIA requirements recently imposed by the\nDepartment\xe2\x80\x99s CIO.\n\nIn a December 18, 2007, memorandum to all chief information officers, Data Extract Log and\nVerify Requirement, the Department\xe2\x80\x99s CIO required operating units to take the following actions\nby March 28, 2008:\n\n     1. Review and update all existing PIAs, specifically describing how the log and verify\n        requirement of OMB M-07-16, Safeguarding Against and Responding to the Breach of\n        Personally Identifiable Information, has been implemented for the system. 2\n\n     2. Develop PIAs for all investigative, law enforcement case files, and human resource\n        databases even if they were previously exempt because they have not been modified or\n        contain information only about federal employees.\n\nAlthough the stated purpose of the memorandum was to document the implementation of OMB\xe2\x80\x99s\ndata extract log and verify requirement, it effectively changes the IT privacy policy PIA\nexemption for legacy and currently operational systems, as well as systems that contain\ninformation only about federal employees and requires that all Commerce systems containing\nPII be assessed for privacy impact. We confirmed that the Department intends all Commerce\nsystems with any personally identifiable information to have a PIA.\n\nWe also found the Department\xe2\x80\x99s Office of the CIO (OCIO) has requested that PIAs document\nwhether the records collected are being retained, and if so, to include the specified retention\nschedule. However, these requirements are not part of the Department\xe2\x80\x99s IT privacy policy.\n\nAs the authoritative source for guidance on the PIA process, the Department\xe2\x80\x99s IT privacy policy\nshould be updated and revised to incorporate all new requirements. We note the Data Extract\nLog and Verify Requirement memorandum has been posted to the Department\xe2\x80\x99s IT security and\nprivacy Web page but there is no indication that it contains new requirements or changes to the\nPIA process.\n\nFinally, in describing the requirements for privacy impact assessments, the Department\xe2\x80\x99s IT\nsecurity policy references the E-Government Act but does not refer to the IT privacy policy. This\nreference should be included in the current IT security policy update.\n\n\n2\n  OMB M-07-16 requires that agencies log all computer-readable data extracts from databases holding sensitive\ninformation and verify each extract, including whether sensitive data has been erased within 90 days or its use is still\nrequired.\n\n\n                                                           3\n\x0cU.S. Department of Commerce                                               Final Report OSE-19047\nOffice of Inspector General                                                       September 2008\n\n\nRecommendations\n\nThe Department\xe2\x80\x99s Chief Information Officer should direct appropriate managers to\n\n1.1    update the IT privacy policy to incorporate all new PIA requirements; and\n\n1.2    update the Department\xe2\x80\x99s IT Security Policy and Minimum Implementation Standards to\n       refer to the IT privacy policy for guidance in developing PIAs.\n\n\n\n\n                                               4\n\x0cU.S. Department of Commerce                                                  Final Report OSE-19047\nOffice of Inspector General                                                          September 2008\n\n\nII.   Some PIAs Do Not Adequately Address All the Required Elements\n\nThe Department\xe2\x80\x99s IT privacy policy requires operating units to submit PIAs for review and\napproval. The Department\xe2\x80\x99s CIO is responsible for the review and approval of PIAs to ensure\ncompliance with the privacy provisions of the E-Government Act, OMB M-03-22, and\nDepartment policy.\n\nWe reviewed 20 PIAs and found they generally met the intent of OMB\xe2\x80\x99s guidance. We believe\nthis is attributable in part to the helpfulness of OCIO staff in providing guidance and consultation\nto the operating units during the PIA development and review process. However, 4 PIAs did not\nprovide sufficient information for certain specific elements required by OMB M-03-22\xe2\x80\x94what\ninformation is being collected, maintained, or disseminated; with whom the information will be\nshared; and how the information will be secured.\n\nWe also determined that 14 of the PIAs did not include sufficient information for 1 or more of\nthe additional elements required by Department policy (but not by OMB)\xe2\x80\x94identifying\ninformation (point of contact information or the OMB Exhibit 300 identification number); event\nor reason the PIA was conducted; and the law or regulation authorizing the collection and\nmaintenance of the information.\n\nTable 1 identifies the PIAs that did not adequately address the elements discussed in the\npreceding paragraphs and identifies those elements.\n\nSix PIAs we reviewed did not include the OMB Exhibit 300 identification number. (See table 1.)\nThe Department\xe2\x80\x99s CIO uses the Exhibit 300 process to ensure that systems containing personally\nidentifiable information are identified and assessed. The Department\xe2\x80\x99s IT privacy policy\nelaborates on the specific relationship between the assessment and Exhibit 300. It states PIAs\n\xe2\x80\x9cmust clearly indicate the link between the privacy system or information collection covered by\nthe PIA and the related major information system described in the OMB Exhibit 300.\xe2\x80\x9d OCIO\nstaff told us, however, that Exhibit 300 numbers might not be applicable for certain PIAs. OCIO\nshould revise the Exhibit 300 section of the policy to stipulate when an Exhibit 300 number is\nnot needed.\n\nRecommendations\n\nThe Department\xe2\x80\x99s Chief Information Officer should direct appropriate managers to\n\n2.1    revise the Exhibit 300 section of the IT privacy policy to make it clear when Exhibit 300\n       identification numbers are needed in PIAs;\n\n2.2    ensure that PIAs are not approved unless they contain all elements required by the\n       Department\xe2\x80\x99s IT privacy policy; and\n\n2.3    consider developing additional guidance on the level of detail to be provided for each\n       PIA element required by the Department\xe2\x80\x99s IT privacy policy.\n\n\n\n                                                 5\n\x0cU.S. Department of Commerce                                                 Final Report OSE-19047\nOffice of Inspector General                                                         September 2008\n\nTable 1. PIAs That Did Not Adequately Address the Required Elements\n\n                                                  PIA Elements\n                       OMB M-03-22 elements                 Additional Department elements\n     PIAs                                             OMB\n                Information Information   Security Exhibit 300    Point of\n                 Collected    Shared      controls      No.       Contact          Event     Law\nEconomic Development Administration (EDA)\nWebCIMS                                                  X                           X\nNational Telecommunications and Information Administration (NTIA)\n\nDigital Coupon\nProgram                                       X            X\nOffice of the Secretary (OS)\nZyIndex                                                                 X            X       X\nCSTARS                          X                                                    X\nMAPS                                                                    X            X\nACES                                                   X                             X\nHSPD-12                                                X                X\nNational Oceanic and Atmospheric Administration (NOAA)\nCrab EDR            X\nPermits\nAlaska              X                                                                X\n\nGrants Online                                                                        X\nNational\nVessel\nMonitoring\nSystem                                                                               X\nMarine and\nAviation\nHealth\nServices                                                                                     X\nWeb\nApplication\nSubsystem                                                                            X\nU.S. Census Bureau\nPopulation\nEstimates                                                 X\nNational\nLongitudinal\nMortality Study                                            X\n\n\n\nThe following Census PIAs addressed all elements: Center for Economic Studies, Field Support\nSystem, Geographic Support Systems, Longitudinal Employer Household Dynamic (LEHD)\nProgram, and Survey of Business Owners.\n\n\n\n                                              6\n\x0cU.S. Department of Commerce                                                          Final Report OSE-19047\nOffice of Inspector General                                                                  September 2008\n\n\nIII. The Department Has Implemented a Process for Determining Web Policy\n     Compliance but Needs to Strengthen Validation\n\nThe E-Government Act requires federal agencies to post machine-readable Web privacy policies\non their sites. The Department\xe2\x80\x99s Web policy, Privacy of Visitors to DOC Web Sites, requires all\nCommerce public Web sites to have privacy policy statements that describe in plain language\nwhat information is collected; how long it is retained; how it is used; what information is shared,\nwith whom it is shared, and how the user can give consent; the prohibition on the use of\npersistent technology except under certain circumstances; and how Web sites that have\ninteractions with children handle getting parental consent.\n\nMachine readability of posted Web privacy policies ensures users can be alerted automatically\nwhen posted Web site privacy practices do not match personal privacy preference settings in\nWeb browsers. Machine readability is provided by the Platform for Privacy Preferences Project\n(P3P) protocol.\n\nOCIO, through its Web Advisory Group, has developed two presentations for training system\nadministrators and users on implementing P3P. The training for system administrators covers\ndevelopment of machine-readable policies on Web sites. The user training covers setting browser\npreferences.\n\nIn January 2001, the Department\xe2\x80\x99s CIO established an annual Web site certification policy,\nwhich requires operating unit CIOs to certify their Web sites comply with the Department's Web\npolicy, including machine readability of privacy policies on public Web sites. For those Web\nsites that are determined to be noncompliant, the operating unit CIOs must submit a\nnoncompliance report that includes an explanation for the noncompliance and a target date for\ncompliance.\n\nTo validate the annual operating units\xe2\x80\x99 certification, Department CIO staff evaluates\nCommerce\xe2\x80\x99s 21 major Web sites 3 for compliance. However, this approach does not consider the\nvariations in the number of Web sites within operating units. For example, 5 operating units have\n1 or 2 Web sites, whereas 3 operating units have more than a hundred. To be effective, the\nvalidation should evaluate for each operating unit a number of Web sites proportional to its total\nnumber of Web sites. For FY 2007, the Department identified a total of 842 Web sites.\n\nWe also found that the evaluation process did not validate P3P implementation. After we brought\nthis problem to the attention of OCIO staff, the validation process was modified to use both the\nInternet Explorer browser and the World Wide Web Consortium P3P Validator tool to validate\nP3P implementation. OCIO staff provided us an overview and demonstration of the P3P\nvalidation process on several operating unit Web sites we selected.\n\n\n\n\n3\n Commerce defines the major Web sites as the home pages for Commerce, operating units including six NOAA line\noffices, the U.S. Patent and Trademark Office, the Office of Inspector General, and Office of General Counsel.\n\n\n                                                      7\n\x0cU.S. Department of Commerce                                               Final Report OSE-19047\nOffice of Inspector General                                                       September 2008\n\n\nRecommendation\n\n3.1    The Department\xe2\x80\x99s Chief Information Officer should ensure that a more representative\n       number of Web sites across the operating units are examined to validate reported annual\n       compliance with the Department\xe2\x80\x99s Web policy.\n\n\n\n\n                                               8\n\x0cU.S. Department of Commerce                                                Final Report OSE-19047\nOffice of Inspector General                                                        September 2008\n\n\n          APPENDIX A: OBJECTIVES, SCOPE, AND METHODOLOGY\n\nAs part of our FY 2008 FISMA requirements, we evaluated whether the Department\xe2\x80\x99s PIA\nprocess adheres to existing policy, guidance, and standards. In addition, we evaluated policies\nand processes for determining continued compliance with stated Web privacy policies and\nensuring machine readability on public Web sites (i.e., use of Platform for Privacy Preferences\nProject [P3P]). The results of this evaluation will be included in our annual FISMA report to\nOMB.\n\nTo meet our objectives, we randomly selected for review 20 of the 36 PIAs that had been\napproved by the Department. (See appendix B.) We also interviewed the manager and staff from\nthe Office of IT Policy and Planning, which handles the PIA process and Web privacy for the\nDepartment\xe2\x80\x99s CIO office, as well as staff from Census, NOAA, and NIST involved in the PIA\ndevelopment and Web privacy compliance processes. Our evaluation criteria included the E-\nGovernment Act of 2002; OMB M-07-19, Reporting Instructions for FISMA; OMB\nMemorandum M-03-22, OMB Guidance for Implementing the Privacy Provisions of the E-\nGovernment Act of 2002; U.S. Department of Commerce Information Technology Privacy\nPolicy; and U.S. Department of Commerce Privacy of Visitors to DOC Web Sites.\n\nWe conducted this evaluation in accordance with the Inspector General Act of 1978, as amended,\nand the Quality Standards for Inspections, January 2005, issued by the President\xe2\x80\x99s Council on\nIntegrity and Efficiency. We performed our fieldwork from February through April 2008.\n\n\n\n\n                                                9\n\x0cU.S. Department of Commerce                                             Final Report OSE-19047\nOffice of Inspector General                                                     September 2008\n\n\n         APPENDIX B: REVIEWED PRIVACY IMPACT ASSESSMENTS\n\nEDA\n  1. WebCIMS Correspondence Tracking System\n\nNTIA\n  1. Coupon Program for Digital to Analog Converter Boxes\n\nOffice of the Secretary\n   1. ZyIndex Personnel Security System\n   2. Commerce Standard Acquisition Reporting System (CSTARS)/CBUY\n   3. Office of Security Management Application for Security (MAPS)\n   4. Automated Commerce Employment System\n   5. Homeland Security Presidential Directive 12 (HSPD12) Personal Identity Verification\n       PART-1 (PIV-1)\n\nNOAA\n  1. Crab Economic Data Report for Bering Sea/Aleutian Islands Management Areas off the\n     Coast of Alaska (NMFS)\n  2. Permits and Registrations for Fisheries of the Exclusive Economic Zone off the Coast of\n     Alaska (NMFS)\n  3. NOAA Vessel Monitoring System\n  4. NOAA Grants Online System\n  5. Marine and Aviation Operations Health Services Database\n  6. NOS Web Application Subsystem\n\nCensus\n   1. Center for Economic Studies\n   2. Field Support Systems\n   3. Geographic Support Systems\n   4. Longitudinal Employer Household Dynamic (LEHD) Program\n   5. Population Estimates\n   6. National Longitudinal Mortality Study (NLMS)\n   7. Survey of Business Owners\n\n\n\n\n                                             10\n\x0cU.S. Department of Commerce                      Final Report OSE-19047\nOffice of Inspector General                              September 2008\n\n\n          APPENDIX C: CHIEF INFORMATION OFFICER RESPONSE\n\n\n\n\n                                11\n\x0c"